Brexit and the GDPR - why leaving the EU will make life harder for enterprises

Spit five feet inside the IT department of a larger organisation right now and you'll hit someone with a reasonable claim to dislike the onerous EU General Data Protection Regulation (GDPR).

Styled as the most significant pieces of privacy law yet enacted, few would argue that mostly large organisations affected by it have had to invest serious time and stress staying on the right side of a regulation that has the power to hit them with fines of up to four percent of turnover for serious breaches when it comes into force in 2018.

But here's the rub: according to a range of experts polled by Computerworld UK, Brexit wouldn't make a jot of difference. Organisations currently affected by it will still have it implement the GDPR or face a range of negative consequences including added costs, unwanted complexity and, potentially, business exclusion. Worse, even those who meet its demands after Brexit could find demonstrating compliance turns into a long and fraught experience.

It's no surprise that Brexit advocates aren't fans. The EU loads Britain with too much costly regulation, they argue, and there can surely be no bigger, badder example of that than the GDPR. But if the UK votes to leave the EU, the strong consensus is that UK enterprises will still face having to implement the most far-reaching piece of privacy law in European business history without the UK's national Government having any guaranteed input into its future direction.

We had difficulty getting many IT or security vendors to go on the record about the issue - mention anything to do with Brexit and most run for the hills for fear of appearing to take sides - but there was near universal agreement off the record that Brexit would seriously complicate an already demanding implementation path.

According to Deema Freij, global privacy officer at US-based content collaboration firm Intralinks, Brexit would leave UK negotiators with a number of choices about how to relate to the GDPR, each with its own difficulties.

In principle, the large enterprises affected by the GDPR (SMEs below 250 employees being largely exempt) would commit to implement it anyway but unfortunately being outside the EU would open up legal and compliance issues which mean this route would be not be as simple as it appears.

It sounds like the ultimate catch - being forced to implement something without the path to achieving that being clear. Multi-nationals would be in the frontline of this but any enterprise that moves customer or employee data to and from the EU would be affected.

"Having left the EU, it would be some time before global and UK companies would know what to do on the issue. During that time, companies would be largely unaware that they might be operating against the law, increasing the risk of technical data breaches," she told Computerworld UK.

This is the uncertainty a lot of Brexit debate has centred around but in this case it has a very technical edge to it. The UK negotiators trying to unpick the UK's legal involvement with the EU would have to put in place a transitional agreement while plotting a longer-term path to allow business to function in an age where data naturally moves across borders.

The most likely model would be for the UK to ask for the status enjoyed by non-EU countries such as Norway, Iceland and Switzerland under the European Economic Area (EEA), but according to Freij this isn't a perfect solution.

"Realistically, more privacy-aware countries, such as Germany, France and Spain, would be likely to put up a fight to challenge the UK's more relaxed approach to data protection legislation," she says.

"Should the UK not be regarded as having 'an adequate level of protection' then, legally, any transfers to the UK would have to be via EU model clauses, a very administrative-heavy task."

Brexit and the GDPR - why leaving the EU could make life harder for enterprises

Model clauses are currently used to allow the transfer of data to non-EU countries and are usually regulated by service providers (e.g. a cloud provider) which ensures compliance with EU data protection rules, including under the auspices of instruments such as the EU-US Privacy Shield. An alternative is Binding Corporate Rules (BCRs), basically the same instrument but set up by the enterprise itself. Multi-nationals will already use such instruments to move data across the globe but having to set up another complex layer of these where none previously existed more won't go down well.

"Even if these rules were put in place, there are questions over how long this would take," says Freij.

"With the UK data protection authority in the midst of managing these applications for many global conglomerates, any hold up in the process could prevent these companies from finding an alternate legal means of transferring personally identifiable information intra-group around the world."

Regardless of its size and relative importance, other experts are more pessimistic about the short-term implications of the UK suddenly being outside a bloc of 27 countries even if, as expected, the European Commission makes a positive adequacy finding regarding UK data protection standards.

"It will take at least two years for the UK to figure out how to leave. Data protection is one of thousands of things to be worked out," comments Marc Dautlich, a partner at legal firm Pinsent Masons who specialises in data protection.

"Think about how long the negotiations between the EU and the US have taken," he points out, referring to the Privacy Shield data transfer agreement between the EU and the US, meant to replace Safe Harbour that collapsed in October 2015 under legal challenge. "They have been locked in negotiations for 18 months before last October," he adds, gloomily.

"If I were running a company I'd set up in one of the 27 countries. If leave happens, I have an office in a country [in the EU]. It will cost me because I'll have to hire some lawyers but they will muddle through."

Some UK firms would likely create shadow companies to demarcate data for the same of simplicity, a complicated and expensive solution designed to make data handling easier. Firms from beyond the EU will simply avoid setting up in the UK at all.

"US companies will say I can't set up my company in the UK anymore because there is this barrier. I have added this layer of legal uncertainty. I am going to set up in France instead."

According to Brett Hansen, Dell's executive director of data security, in the end the GDPR comes down to whether it's a good idea over and above the issues of legality or politics.

"At some point companies are going to want to protect their data because it's good practice. The GDPR is a forcing function but it's a good idea because you will be better able to protect your company in terms of lawsuits and loss of customer data," he says.

"They are enforcing what should be good practices. You need to show that it [data] is protected. That's not anything crazy," he adds while admitting that for Dell and companies like it the GDPR had proved to be "good for business."

In Dell's view the GDPR is simply part of a larger and growing patchwork of regimes that impose demands on data security and management. "GDPR pushes everyone to get to that base level of protection."

Brexit and the GDPR - losing influence

The question remains, however - would not being in the EU make any difference? If companies are able to create a framework, however expensively assembled, that makes it possible for the UK to meet the GDPR's demands by the back door, surely Brexit is a side issue. They will build the GDPR into their thinking because it's a good idea anyway.

Longer term, it would mean that a layer of the country's largest firms would find themselves on the receiving end of a Regulation over which the country's politicians have no direct influence. The UK could reasonably ask for input but it is unlikely it would have any more influence than countries in the EEA. Most likely, the UK's local Regulations might converge with GDPR in some way although that could prove politically contentious should it be extended to cover smaller businesses at some point in the future.

In the long run, it is clear that in the short run Brexit will cede a period of regulatory uncertainty that could take a minimum of two years to clear and almost certainly longer. This alone will add expense and might cause some companies to port their operations to the EU until things become clearer.

Solutions will be found to the practical issues and IT vendors won't be slow to market themselves as a helping hand to guide confused enterprises through the maze of complexity. This is perhaps the slightly cynical takeaway from the uncertainty of Brexit: the GDPR has cost large firms a fair amount of money and time to migrate to. Ironically, because it implies more legal and technical engineering to achieve legal certainty Brexit will make this worse.

Leaving the EU has been widely marketed as an escape from regulation and cost of EU interference but in the case of the GDPR at least it will be anything but.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.